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Abstract. We assemble and reorganize the recent work in the area of hyperelhptic pairings: We 
survey the research on constructing hyperelliptic curves suitable for pairing-based cryptography. 
We also showcase the hyperelliptic pairings proposed to date, and develop a unifying framework. 
We discuss the techniques used to optimize the pairing computation on hyperelliptic curves, and 
present many directions for further research. 



1. Introduction 

Numerous cryptographic protocols for secure key exchange and digital signatures are based on the 
computational infeasibility of the discrete logarithm problem in the underlying group. Here, the 
most common groups in use are multiplicative groups of finite fields and groups of points on elliptic 
curves over finite fields. Over the past years, many new and exciting cryptographic schemes based 
on pairings have been suggested, including one-round three-way key establishment, identity-based 
encryption, and short signatures [3, 4, 43, 64]. Originally, the Weil and Tate (-Lichtenbaum) pair- 
ings on supersingular elliptic curves were proposed for such applications, providing non-degenerate 
bilinear maps that are efhcient to evaluate. Over time potentially more efficient pairings have been 
found, such as the eta [2], Ate [41] and R-ate [53] pairings. Computing any of these pairings involves 
finding functions with prescribed zeros and poles on the curve, and evaluating those functions at 
divisors. 

As an alternative to elliptic curve groups, Koblitz [47] suggested Jacobians of hyperelliptic curves for 
use in cryptography. In particular, hyperelliptic curves of low genus represent a competitive choice. 
In 2007, Galbraith, Hess and Vercauteren [29] summarized the research on hyperelliptic pairings to 
date and compared the efhciency of pairing computations on elliptic and hyperelliptic curves. In 
this rapidly moving area, there have been several new developments since their survey: First, new 
pairings have been developed for the elliptic case, including so-called optimal pairings by Vercauteren 
[71] and a framework for elliptic pairings by Hess [40]. Second, several constructions of ordinary 
hyperelliptic curves suitable for pairing-based cryptography have been found [19, 22, 67, 20]. 

In this paper, we survey 

• the constructions of hyperelliptic curves suitable for pairings, especially in the ordinary case, 

• the hyperelliptic pairings proposed to date, and 

• the techniques to optimize computations of hyperelliptic pairings. 

We also 
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Figure 1 . Classification of hypereUiptic pairings 
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• give a unifying framework for hyperelliptic pairings which includes many of the recent vari- 
ations of the Ate pairing, and 

• present a host of potential further improvements. 

In this paper, wc do not provide any comparative implementation, or give recommendations on 
which pairings should be used to satisfy certain user-determined criteria; this is left for future work. 

In our presentation, we focus on the case of genus 2 hyperelliptic curves and their Jacobians. Among 
all curves of higher genus, such curves are of primary interest for cryptographic applications: On 
the one hand, we find explicit formulae along with various optimizations (e.g., [50, 73]), providing 
for an arithmetic that is somewhat competitive with elliptic curves. On the other hand, the security 
is exactly the same as in the elliptic case, with the best attacks on the discrete logarithm problem 
in the Jacobian being square-root attacks based on the Pollard rho method (cf. [25]). However, 
Galbraith, Hess and Vercauteren [29, §10.1] argue that pairing computations on hyperelliptic curves 
will always be slow compared to elliptic curves: The most expensive part of a standard Tate pairing 
computation consists of repeatedly evaluating some function on a divisor and computing the product 
of the values obtained. Both in the elliptic and in the hyperelliptic case these divisors are defined 
over fields of the same size, but the functions in the hyperelliptic case are more complicated. 

Figure 1 represents the collection of hyperelliptic pairings at a glance. For use in pairing-based 
applications, originally the Weil and Tate pairings were proposed. The Weil pairing is much more 
expensive to compute than the Tate pairing, so it is not used in practice. The pairings in the Ate 
family are potentially more efficient than the Tate pairing. Historically, the eta pairing was the 
first pairing to shorten the length of the Miller loop. It is defined on supersingular curves only and 
requires a final exponentiation. It gave rise to the Ate pairings which are defined for all curves. The 
hyperelliptic Ate pairing (which has a different definition than the elliptic Ate pairing !) has the 
advantage that its loop length is roughly half of the length of the Miller loop for the Tate pairing. It 
also is special in that it requires no final exponentiation (while the elliptic Ate pairing docs require 
one). Other variations of the Ate pairing include the Hess- Vercauteren (HV) pairings. These are 
the pairings captured by our unifying framework, which generalizes work for the elliptic case by 
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Hess [40] and Vcrcautcrcn [71]. HV pairings also have potentially shorter Miller loops than the Ate 
pairing, depending on the embedding degree of the Jacobian. All of the HV pairings involve a final 
exponentiation. Two examples of HV pairings are the R-ate and the Atej pairings. Table 5.6 in 
Section 5 gives more details about the differences and merits of each pairing. 

Our paper is organized as follows. In Section 2 we review some of the background on Jacobians of 
hyperelliptic curves. Section 3 discusses hyperelliptic curves of low embedding degree and what is 
known about constructing them. Section 4 gives an overview of the different pairings on hyperelliptic 
curves following the classification in Figure 1. We also introduce the HV pairing framework, give 
a direct proof of the non-degeneracy and bilinearity of the pairings captured by this framework 
and discuss how the Ate and R-ate pairings fit in. Section 5 describes the adaptation of Miller's 
algorithm to the hyperelliptic setting, presents common optimizations and compares all pairings 
according to their key characteristics of loop length and final exponentiation. Section 6 presents 
numerous problems for future work. 

2. Jacobians of Hyperelliptic Curves 
In this section, we fix some notation and terminology that will be used throughout the paper. 

2.1. Hyperelliptic curves. A hyperelliptic curve C over a field K is a. non-singular projective 
curve of the form 

C : ?/ + H{x)y = F{x) e K[x, y]. 

Let g bo the genus of the curve. Throughout this paper, we restrict to the case where F is monic, 
degF(a;) — 2g + l, and degH{x) < g, so that C has one point at infinity, denoted Poq. When g = 1, 
C is an elliptic curve. For significant parts of our discussion, we will consider the case where g = 2. 

Although the points of a genus g>2 hyperelliptic curve do not form a group, there is an involution 
of the curve taking P = {x,y) to the point {x,—y — H{x)), which we will denote —P. Then, in 
accordance with the notation, — (— P) = P. 

2.2. Divisors and abelian varieties. Let K he a. field over which C is defined, and let K its 
algebraic closure. A divisor D on the curve C is a formal sum over all symbols (P), where P is a 
iC-point of the curve: 

D= ^_np(P), 

Pec(K) 

where all but finitely many of the coefficients np G Z are zero. The collection of divisors forms an 
abelian group Div(C). The degree of a divisor is the sum 

Pec(K) 

and the support of a divisor is the set of points of the divisor with non-zero coefficients np. For any 
rational function / on C, there is an associated divisor 

div(/)= ^_ordp(/)(P) 

Pec(K) 

which encodes the number and location of its zeroes and poles. Any divisor which is the divisor of 
a function in this way is called a principal divisor. 
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An element a in the Galois group of K over K, Ga\{K/K), acts on a divisor as follows: 

PeC(K) P£C(K) 

In particular, let L be any intermediate field K C L C K. Consider a function / defined over L; 
then div(/) is fixed by elements of Ga.l{K/L). In fact, div(/)'^ = div(/'^). 

We give names to various sets of collections: Div(C) of divisors, Div''(C) of degree zero divisors, 
Ppl(C) of principal divisors, Div if(C) of divisors invariant under the action of Gal{K/K), Div^f (C) 
of degree zero divisors invariant under the action of Gal{K/K), and Ppl^(C) of principal divisors 
invariant under the action of Gal{K/K). 

These are all abelian groups, which have the following subgroup relations: 



Div(C) D Div°(C) D Ppl(C) 

u u u 

BivKiC) D Div°,(C) D PpIk{C). 

We make note of certain quotient groups: 

Pic(C) := Div(C)/Ppl(C), 
Picx(C) := DivK(C)/Ppl^(C), 

Elements of these quotient groups are equivalence classes of divisors. Divisors Di and D2 of the 
same class are said to be linearly equivalent, and we write fi ~ 1)2. 

Recall that an elliptic curve is an example of an abelian variety. In general, an abelian variety A 
over if is a projective algebraic variety over K along with a group law ip : Ax A ^ A and an inverse 
map Inv : A ^ A sending x t-^ such that (p and Inv are morphisms of varieties, both defined 
over K. 

For an abelian variety A, a field K and an integer r, we let A(iir)[r] denote the set of r-torsion 
points of A defined over K, that is, the set of points in A{K) of order dividing r. Now suppose 
A is an abelian variety over Fg, with q = p"^. We say that A is simple if it is not isogcnous over 
¥g to a product of lower dimensional abelian varieties. We call A absolutely simple if it is simple 
over ¥g. We say A is supersingular if A is isogenous over to a power of a supersingular elliptic 
curve. (An elliptic curve E is supersingular if E(¥q) has no points of order p.) An abelian variety 
A of dimension g over is ordinary if ^A(¥q)[p] = p^ . Note that for dimension g >2, there exist 
abelian varieties that are neither ordinary nor supersingular. 

There is a natural isomorphism between the degree zero part of the Picard group Pic'^(C) of a 
hyperelliptic curve C and its Jacobian Jacc, which is an abelian variety into which the curve embeds 
(cf. [26]). For the remainder of this paper, we will identify the Picard group Pic°(C) with Jacc- 



Pic°(C) :=Div°(C)/Ppl(C), 
Pic°,(C) :=Div°,(C)/Ppl^(C). 
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2.3. Arithmetic in the Jacobian. We will work in the Jacobian Jacc of a hyperelliptic curve C 
of genus g, whose elements are equivalence classes of degree-zero divisors. To do so, we choose a 
reduced representative in each such divisor class. A reduced divisor is one of the form 

[Pi) + {P2) + ■ ■ ■ + {Pr) - r{Poo) 

where r < g, Poo is the point at infinity on C, Pi ^ —Pj for distinct i and j, and no Pj satisfying 
Pi = —Pi appears more than once. Such a divisor is called semi-reduced if the condition r < g is 
omitted. Each equivalence class contains exactly one reduced divisor. For a divisor D we will denote 
by p{D) the reduced representative of its equivalence class. The action of Galois commutes with p, 
i.e. p{D'^) = piyD)" , since the property of being reduced is preserved by the action of Galois. 

To encode the reduced divisor in a convenient way, we write {u{x),v{x)) where u{x) is a monic 
polynomial whose roots are the a;-coordinates xi,. . . ,Xr of the r points 

Pi = (a;i,yi), P^ = (a;^,?/^), 

and where v{xi) = jji for i = l,...,r. This so-called Mumford representation [59] is uniquely 
determined by and uniquely determines the divisor. To find this representation, it suffices to find 
u{x) and v{x) satisfying the following conditions: 

(1) u{x) is monic, 

(2) deg{v{x)) < deg(u(x)) < g, and 

(3) u{x) I F{x) - v{x)H{x) - v{xf, 

where F{x) and H{x) are the polynomials defining the curve C (defined in Section 2.1). When we add 
two reduced divisors Di and D2 the result Di + D2 is not necessarily reduced. Beginning with two 
reduced divisors in Mumford representation, the algorithm to obtain the Mumford representation of 
the reduction of their sum can be explained in terms of the polynomials involved in the Mumford 
representation, without recourse to the divisor representation. This algorithm is originally due to 
Cantor [6], and in the form presented here to Koblitz [47]. The algorithm has two stages: in the 
first, we find a semi-reduced divisor Z) Di + D2, and in the second stage, we reduce D. Suppose 
that Di has Mumford representation (uj, Vj) for i = 1, 2. 

Stage 1: 

(1) Find d{x) = gcd{ui{x),U2{x),vi{x) + V2{x) + H{x)). Finding this via the extended 
Euclidean algorithm gives s\{x), S2{x) and 53(2;) such that 

d = siui + S2U2 + sz{vi -\-V2 + H). 

(2) Calculate the quantities 

u = uiU2/dP, and v = S1U1V2 + S2U2V1 -\- ss{viV2 + F) / d {mod u{x)) . 

(It is easily verified that the fraction on the right is defined since d{x) is a divisor of the 
numerator.) 

At this point, the result (m,w) is a semi-reduced divisor linearly equivalent to Di + D2. This 
stage corresponds to simply adding Di and D2 and canceling any points with their negatives if 
applicable. In fact, we obtain 

£)' = Di + - div(d). 



Stage 2: 
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In this stage, if deg(w) > g we can replace {u, v) with a divisor (u', v') satisfying deg(it') < deg(u). 
This replacement is as follows. Set 

u' = {F - vH - v^)/u, and v' = -H - v (mod u') . 

This stage corresponds to simplifying the divisor using the geometric groiip law nicely described 
for genus 2 by Lauter [51]. At each application of this loop to a divisor D3, we obtain a divisor 
D" satisfying^ 

D" = D-i - AiY((F - vH ^ v^) /u'). 
Applying this loop finitely many times, beginning with the result D' of stage one, we eventually 
obtain a reduced divisor D linearly equivalent to Di + D2. 

This algorithm has been optimized to avoid the use of the extended Euclidean algorithm and in this 

form it is much more efficient [29]. An enhanced version of Cantor's Algorithm is given as Algorithm 
2 in this paper; see Section 5.1. If steps 5 and 8 through 13 are removed from Algorithm 2 one has 
the Cantor's Algorithm discussed here. 

3. Hyperelliptic Curves of Low Embedding Degree 

In this section we discuss hyperelliptic curves suitable for pairing-based cryptographic systems. The 
Jacobian varieties of such curves must have computable pairings, and computationally infeasible 
discrete logarithm problems. Specifically, we require low embedding degrees and large prime-order 
subgroups. 

3.1. Embedding degree and p- value. Let r be a prime. Let C be a hyperelliptic curve over F, of 
genus g with Jacobian variety Jacc(Fg) such that r \ # Jacc(Fg) and gcd(r, q) — \. The embedding 
degree of Jacc with respect to r is the smallest integer k such that r \ (g*^ — 1). Equivalently, the 
embedding degree of Jacc with respect to r is the smallest integer k such that F*^ contains the 
group of r*^ roots of unity /i^. If Jacc has embedding degree k with respect to r, then a pairing 
on C, such as the Weil pairing e,. : .Iacc(Fq)[r] x Jacc(Fq)[r] fir, "embeds" Jacc(Fq)[r] (and 
any discrete logarithm problem in Jacc(Fg)[r]) into F*^, and ¥gk is the smallest-degree extension of 
¥g with this property; whence the name "embedding degree" . Hitt [42] shows that if q = p"^ with 
TO > 1, then JaC(7(Fg)[r] may be embedded into a smaller field which is not an extension of F^ but 
only an extension of Fp. The smallest such field is the so-called minimal embedding field, which is 

FpOrd^ p . 

We occasionally speak of the embedding degree of the hyperelliptic curve C, in which case we mean 
the embedding degree of its Jacobian. 

Another important parameter is the p-value, which for a Jacobian variety of dimension g we define as 
p = glogq/ logr. Since #Jacc(Fg) = q^ + 0{q^^^^^), the p-value measures the ratio of the bit-sizes 
of # Jacc(Fq) and the subgroup order r. Jacobian varieties with a prime number of points have the 
smallest p- values: p « 1. We call a hyperelliptic curve, and its Jacobian variety, pairing- friendly if 
the Jacobian variety has small embedding degree and a large prime-order subgroup. In practice, we 
want A; < 60 and r > 2^*5°. 

Since the embedding degree k is the order of q in the multiplicative group (Z/rZ)*, and typically 
elements in (Z/rl,)* have large order, we expect that for a random Jacobian over ¥q with order-r 
subgroup, the embedding degree is approximately of the same size as r. (This reasoning has been 

^In general, u' is a product of lines Lj whose divisors are {Pi)-\-{—Pi) — 2(Poo) for i = 1, . . . , r and dw{F — vH — v"^) 
is the sum of the intersection points of C and a unique curve intersecting C at 3g points including Pi, . . . , P^. 
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made more precise for elliptic curves, by Balasubramanian and Koblitz [1] and Luca, Mireles and 
Shparlinski [57].) With r > 2^^°, this means that evaluating a pairing for a random hyperelliptic 
curve becomes a computationally infeasible task. Just as in the case of elliptic curves, pairing-friendly 
hyperelliptic curves are rare and require special constructions. 

3.2. Embedding degrees required for various security levels. For cryptographic applications, 
the discrete logarithm problems in Jacc(]Fq) and in the multiplicative group F*^, must both be 
computationally infeasible. For Jacobian varieties of hyperelliptic curves of genus 2 the best known 
discrete logarithm (DL) algorithm is the parallelized Pollard rho algorithm [70, 65], which has 
running time 0{y/r) where r is the size of the largest prime-order subgroup of 3acc{¥q). For Jacobian 
varieties of dimensions 3 and 4 there exist index calculus algorithms of complexities 0(g*/''+^) — 
0(| Jacc 1''/^+'') and 0(g3/2+e^ ^ 0(| Jacc |^/*^+^), respectively [35]. How this compares to the 
parallelized Pollard rho algorithm depends on the relative size of the subgroup order r - more 
precisely, only if p < 9/8 (genus 3 case) or p < 4/3 (genus 4 case) will the index calculus approach 
be superior to Pollard rho. 

In any case, the best DL algorithms for genus 2, 3, and 4 are of exponential running time. On the 

other hand, the best algorithm for DL computation in finite fields is the index calculus attack (e.g., 
[62]) which has running time subexponential in the field size. Thus to achieve the same level of 
security in both groups, the size q'^ of the extension field must be significantly larger than r. Table 
3.1 shows sample subgroup sizes, extension field sizes, and embedding degrees with which to achieve 
common levels of security, for various cases r ~ q^^^. The listed sizes for the prime-order subgroups 
and the extension fields (of large characteristic) follow the recommendations by NIST [61, Table 2]. 



Table 3.1. Embedding degrees for hyperelliptic curves of genus g = 2 required to 
obtain commonly desired levels of security. 



Security 


Subgroup 


Extension field 




Embedding 


degree 


(fc) 




level (bits) 


size (r) 


size {q'') 


p«l 


p«2 






p w 6 




80 


160 


1024 


65 


3<7 


2.9 


l.bg 


9 


0.8g 


112 


224 


2048 


IQg 


5g 


3.3<? 


2.59 


1.69 


1.3.9 


128 


256 


3072 


12g 


65 


45 


3.9 


2.9 


1.5,9 


192 


384 


7680 


20g 


10.9 


6.6,9 


5.9 


3.39 


2.59 


256 


512 


15360 


30(7 


15fl 


lOg 


7.5g 


55 


3.85 



While Table 3.1 as such is for genus 2 only, it can easily be adapted to the cases of genus 3 and 4: 
Only in the case that the Jacobian has almost prime order (p « 1) we need to compensate for the 
aforementioned index-calculus algorithms in Jacc. For this, if 9 = 3, multiply the second column 
entries by 9/8 and the fourth column entries by 8/9; if 5 = 4 multiply the second column entries by 
4/3 and the fourth column entries by 3/4. 

3.3. Ordinary hyperelliptic curves of low embedding degree. While there are numerous 
constructions for pairing-friendly elliptic curves - see e.g. the survey by Freeman, Scott and Teske 
[21] - there are not nearly as many constructions for hyperelliptic curves of low embedding degree and 
large prime-order subgroup. In this section, we discuss the case of ordinary Jacobians; see Section 
3.4 for the supersingular case. We keep the discussion result-oriented, and refer the reader to the 
corresponding original papers for details on the specific constructions and the theory underneath. 



8 J. BALAKRISHNAN, J. BELDING, S. CHISHOLM, K. EISENTRAGER, K. STANCE, AND E. TESKE 

Galbraith, McKee and Valenga [32] argue that heuristically, for any fixed embedding degree k with 
(p{k) > 4 (v(fc) = the Euler phi- function) and for any bound M on the field size q, there exist 
about as many genus 2 curves over of embedding degree k (any p-value) as there exist elliptic 
curves over of embedding degree k, namely G(M^/^/ logM). For embedding degrees fc = 5, 10, 
they identify several quadratic polynomials q{x) parameterizing field sizes such that genus 2 curves 
over Fq(j.) exist with embedding degree k (any p- value). (They also show that for k = 8, 12, such 
quadratic polynomials q{x) do not exist.) 

Freeman [18] was the first to actually construct ordinary genus 2 curves of low embedding degree. 
His construction is based on the Cocks-Pinch method [11][21, Theorem 4.1], which produces pairing- 
friendly elliptic curves over prime fields of any prescribed embedding degree and with p k 2. In the 
genus-2 case. Freeman obtains curves over prime fields F^ of any prescribed embedding degree k and 
p- value 8, that is, r « q^/^ (where r denotes the prime subgroup order of the Jacobian). 

Freeman [18, Proposition 2.3] further shows that the resulting Jacobian varieties have the property 

that .Jacc(F^fc) always contains two linearly independent r-torsion points. For an elliptic curve 
E/¥g, the corresponding result implies that the entire r-torsion group is contained in E{¥gk), but 
this is not necessarily the case for higher dimensional abelian varieties. This phenomenon gives 
rise to the notion of the full embedding degree, which is the smallest integer k such that all r- 
torsion points of Jacc are defined over W^k. Freeman [18, Algorithm 5.1] gives a construction of 
genus 2 curves of prescribed full embedding degree k (necessarily even), which may be useful in 
cryptographic applications that require more than two linearly independent r-torsion points (see 
Section 6.8). Again, this construction yields curves with p- value 8. 

Note that an essential part of either construction [18] is the use of the complex multiplication (CM) 
method to compute the actual curve. In genus 2, this includes computation of the Igusa class 

polynomials (e.g., [72]) of the CM field K = End(Jacc) (EiQ, which is currently feasible for CM fields 
K with class numbers less than 100 [49]. (Here, End(Jacc) denotes the set of all endomorphisms of 
Jacc defined over F^.) 

Freeman, Stevenhagen and Streng [22, Algorithm 2.12] present a generalization of the Cocks- 
Pinch method, which, when coupled with complex multiplication methods, produces pairing- friendly 
abelian varieties over prime fields, of dimension g with p-values « 2g^. This algorithm works for 
any prescribed embedding degree k, and applies to arbitrary genus g > 2. (However note that 
complex multiplication methods are available for special CM fields only if g = 3, and are completely 
undeveloped for g > 4.) In addition to explicit genus 2 examples with p w 8, a cryptographically 
interesting example is given for genus 3 (fc = 17 and p « 17.95). 

In the case of pairing-friendly elliptic curves, the method by Brezing and Weng [5] is a generalization 
of the Cocks-Pinch method [11] and produces elliptic curves over prime fields with 1 < p < 2 for 
many embedding degrees. Freeman [19, Algorithm 3.8] combines the Brezing- Weng approach with 
the method from Freeman, Stevenhagen and Streng [22] to construct so-called families of abelian 
varieties over prime fields with p-values strictly less than 2g^. An explicit construction for genus 
2, embedding degree fc = 5 and p = 4 is given - note that an instantiation with a 224-bit prime 
subgroup order r would exactly meet the 112-bit security level requirements (cf. Table 3.1). Other 
examples (for genus 2) include: fc = 6, p = 7.5; k = 8, p — 7.5, and fc = 10, p = 6 (able to exactly 
meet the 256-bit security level requirements) [19, 17]. In the case of genus 3, a construction yielding 
k — 7 and p 12 is obtained. 

All constructions mentioned so far in this section produce absolutely simple Jacobians. When 
considering simple abelian varieties A that are isogenous over some extension field F^d (q a prime) 
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to a product of two elliptic curves, smaller p- values have been obtained: 

Kawazoe and Takahashi [45] specialize to hyperelliptic curves with curve equation y"^ = + ax 
over a prime field Fg. For the cardinalities of the Jacobians of such curves, closed formulae exist. 
These formulae are exploited in adaptations of the Cocks-Pinch method (producing Jacobians with 
/9- values around 4), and Brezing-Weng-type methods (for embedding degree divisible by 8, producing 
Jacobian varieties with 3 < p < 4). The Jacobians split over ¥gd, d G {2,4}. 

Satoh [67] considers hyperelliptic curves C of the form if' = x^ + ax'^ + bx over ¥q, such that Jacc 
splits over ¥q2 . This construction works for many embedding degrees and produces p- values < 4. 
More generally. Freeman and Satoh [20] show that if E is defined over F^, and A is an abelian 
variety isogenous over F^d to E x E, then A is isogenous over ¥q to a primitive subvariety of the 
Weil restriction of E from F^d to Fg. Thus, pairing- friendly abelian varieties of this type can be 
built from elliptic curves E/¥q that are not pairing- friendly over F^, but are pairing-friendly when 
base-extended to ¥qd . The elliptic curves can be constructed via Cocks-Pinch or Brezing-Weng type 
methods. The generic p-value for Jacobians of genus 2 produced in this manner is 4. With the 
Brezing-Weng method, p-values between 2 and 4 can be obtained. This approach not only contains 
the constructions by Kawazoe and Takahashi [45] and Satoh [67] but also produces the lowest ever 
recorded p- values for ordinary genus 2 curves. Explicit examples of cryptographically interesting 
genus 2 curves are given, such as a A; = 9, p w 8/3 curve and a A; = 27, p « 20/9 curve. 

In conclusion, to date, the best we can achieve for pairing-friendly ordinary genus 2 curves with 
arbitrary prescribed embedding degree fc is a p-value of 4; and p ~ 8 if one insists on absolutely 
simple Jacobians. (Although to date, there is no apparent reason why Jacobians that split over 
small-degree extensions should be more vulnerable to DL attacks than the absolutely simple ones.) 
We have no constructions of ordinary hyperelliptic curves of genus g > 2 with p-values less than 
2. In particular, we have no constructions of higher-dimensional pairing-friendly ordinary Jacobian 
varieties with a prime number of points. This is in sharp contrast to the elliptic case, where p « 2 
can be achieved for any prescribed embedding degree, 1 < p < 2 for selected embedding degrees, 
and constructions for prime-order elliptic curves exist for embedding degrees k = 3,4,6,10, and 12 
(cf. [21]). 

3.4. Supersingular curves. Supersingular hyperelliptic curves over ¥q are always pairing-friendly. 
In fact, Galbraith [28] shows that there exists a constant k{g) such that the embedding degree of any 
supersingular abelian variety of dimension g over any finite field Fg is bounded by k{g). Rubin and 
Silverberg [66] prove that for simple supersingular abelian varieties, for g < 6 we have k{g) < 7.5g. 

Specifically, for dimension 5 = 2, the embedding degree is bounded by 12, where k = 12 can only 
happen if ¥q is a binary field F2™ with m odd. If g is a square, or if g = with m odd and 
p ^ 2,3, then the largest embedding degree is A; = 6. If ¥q = Fsm with m odd, the embedding 
degree is always bounded by 4. (In the case of dimension g = 3, the embedding degree is bounded 
by 18, and the bound for the dimension 4 case is 30. In both cases, this bound is achieved only in 
characteristic three. Over prime fields Fj, with p > 11, there are no simple supersingular abelian 
varieties of dimension g = 3, while the largest embedding degree for dimension g = 4 is k = 12.) 

As Rubin and Silverberg show [66, Corollaries 13,14], not all embedding degrees below these bounds 
are possible. For example, in the dimension 2 case and if g = with m odd, then for p = 2 we 
have k e {1,3,6, 12}; if p = 3, we have k e {1,3,4}; if p = 5 we have k e {1,3,4,5,6} and if p > 7 
we have k e {1, 3, 4, 6}. 

Cryptographically interesting supersingular hyperelliptic curves can be explicitly constructed. For 
example, Galbraith et al. [33] give curve equations for various field characteristics that yield simple 
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supersingular Jacobians of dimension g = 2 and of embedding degrees k G {4, 5, 6, 12}. By carefully 
choosing the underlying fields, p-values close to 1 can be readily obtained. 

3.5. Supersingular versus ordinary hyperelliptic curves. While the embedding degrees of 
supersingular abelian varieties are limited to a few, small values, their advantage is that they can 
achieve p-values significantly smaller than their ordinary counterparts. For example, let us consider 
the 112-bit security level (cf. Table 3.1). One could use the construction by Freeman and Satoh [20] 
of an ordinary absolutely simple hyperelliptic Jacobian of dimension 2, with embedding degree A; = 6 
and p-value 2.976, with a 230-bit prime-order subgroup, working over a finite field ¥q with 342-bit 
q. Alternatively, one could use the embcdding-degrec 12 supersingular curve ip' -\- y = -\- + h 
{h e {0, 1}) over with m > 250 chosen such that its Jacobian contains a subgroup of prime 
order r > 2^^^. (Note that Coppersmith' algorithm [12] for DL computation in finite fields of 
small characteristic requires to embed the Jacobian into a 3000-bit binary field ¥212™ , to obtain 
roughly the same level of security provided by a 2048-bit field Fgi2 with q large, cf. [55].) If m is 
chosen smaller than 342, this would result in bandwidth advantages for the supersingular Jacobian, 
given that in cryptographic applications the values that are transmitted are elements in Jacc(Fg). 
However, already at the 128-bit security level the advantage of supersingular curves disappears, in 
the light of the recent work by Freeman and Satoh [20]: this security level can be achieved with 
256-bit prime-order subgroups either of an ordinary Jacobian over a 341-bit F^, with k = 9 and 
/9 = 8/3, or of a supersingular Jacobian over F2"> with m > 375, of embedding degree 12 (again, m 
is chosen in response to Coppersmith' DL algorithm [12]: a 4500-bit binary field roughly provides 
the same security as a 3072-bit field of large characteristic) . At high security levels ordinary curves 
are definitely preferable. For example, at the 256-bit level, a genus 2 curve with embedding degree 
fc = 27 and (optimal to date) p- value of 20/9 (cf. [20]) requires a 568-bit field, while a binary 
supersingular curve of embedding degree 12 requires a 1875-bit field. 

4. Pairings for Hyperelliptic Curves 

In this section, we give an overview of the different pairings on hyperelliptic curves, as well as 
introduce the more general framework of HV pairings which unify the recent variations on the Ate 
pairing. In particular, we present a direct proof of bilinearity and non-degeneracy for these pairings 
and describe how the Atc^ and R-ate pairings fit into the framework. 

We begin by introducing the historically most important pairings for hyperelliptic curves, the Tate- 
Lichtenbaum and Weil pairings. In what follows, let r be a positive integer and assume that C is 

defined over a finite field F^. Suppose that K = F^k is an extension of F^ such that r \ {q^ — 1)- 
Throughout the section, we will use D to mean both a divisor and the divisor class represented by 
D. 

For a positive integer s, a Miller function fa^o is a function with divisor 

{fsM) = sD-p{sD), 

uniquely defined up to scalar multiplication by elements of K* . The Miller loop length of such a 
function is log2 s and measures how quickly the function can be evaluated via Miller's algorithm 

(see Algorithm 1). The benefit of recent variations on the Tatc-Lichtcnbaum pairing is a reduction 
in Miller loop length, which is sometimes accomplished by combining several Miller functions (see 
Section 5). 
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4.1. Tate-Lichtenbaum pairing. For Di G Ja,cc{K)[r], the divisor rDi is linearly equivalent to 
zero, hence there is some function whose divisor is rDi, namely the Miller function fr,Di defined 
above. Let D2 be a divisor class, with representative D2 = X^p«p(-P) disjoint from Di. We define 
a pairing called the Tate-Lichtenbaum pairing as follows 

T : Jacc(^!:)[r] x 3a.cc{K)/r3acciK) K*/{K*Y 

{D,,D2) ^ fr,DAD2)=l[.frMPr'- 

p 

This pairing is bilinear, non-degenerate and the result is independent of the choice of representatives 
of the divisor classes. 

4.2. The Weil pairing. For -Di,r>2 & Jacc(^)M, the Weil pairing is given by 

Cr : Jacc(^)[r] x 3;iCc{K)[r] /i^ 

(A, ^2) ^ T{D,,D2)TiD2,D,)-^ 

which can be computed via two Tate-Lichtenbaum pairings. It is bilinear, alternating, and non- 
degenerate. 

4.3. The modified Tate-Lichtenbaum pairing. If Ja,cc{K) contains no elements of order r^, 
then there is an isomorphism 

Jacc(^)H — Jacc(^)/'''Jacc(-?^)- 
Under this identification, we define the modified ( or reduced) Tate-Lichtenbaum pairing to be 
t : Ja,cc{K)[r] X Ja.cc{K)[r] fir 

{Dr,D2) ^ T(£>l,£>2)<'''-'^/^ 

Since elements of K* have order dividing g*^ — 1 and r \ (g'^ — 1), the r**^ powers which are the quotients 
of distinct representatives of the coset of t(£'i, £>2) are removed by this final exponentiation, leaving 
a unique result lying in /x^. C K. 

Other powers of the Tate-Lichtenbaum pairing can also give non-degenerate bilinear pairings into 
which may yield shorter Miller loops (for example, with the use of efficiently computable auto- 
morphisms of C [16]; see Section 6.2). 

4.4. Hyperelliptic Ate pairing. More generally, a bilinear pairing is a map 

e : Gi X G2 ^ G3 

where Gj are abelian groups, in additive notation, and G3 is a cyclic group, written multiplicatively, 
and for all pi,P2 € Gi, qi,q2 € G2, we have 

e{pi-\-p2,qi) = e{pi,qi)e{p2,qi), 
e{pi,qi+q2) = e(pi, gi)e(pi, 92)- 

Let r be a prime dividing #Jacc(Fg) and let k be the embedding degree of iacci^q) with respect 
to r. We are interested in pairings where Gi and G2 are subgroups of ,Jacc where K = ¥gk. In 
particular, a number of more convenient and faster pairings are known when 

Gi = Jacc(if)[r]nker(7r-[1]), 
^ ' G2 = Jacc(i^)[r]nker(7r-[g]), 
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where tt is the f/'' power Frobenius automorphism. Since r divides #Jacc(Fq), the group Gi, being 
the eigenspace of 1, is at least 1-dimensional over Z/rZ. Since the eigenvalues of the Frobenius 
come in pairs {X,q/X) [27, §5.2.3], q is also an eigenvalue of tt on JaccH, and thus there exists a 
divisor D such that 7r(D) = qD. This implies that tt'^D = q'^D = D, since r\{q'' — 1) and rD = 0. 
Consequently, D € Jacc(Fqf=), and the group G2 is also at least 1-dimensional over Z/rZ. If fc > 1, 
then Gi 7^ G2 and Gi x G2 C Jacc(]Fgfc)[r] is at least 2-dimensional over Z/rZ. (Recall that for 
genus g, the group .]acc{K)[r] is 2g-dimensional over Ij/rlj.) 

In the remainder of this section, Gi and G2 always denote the groups defined in (4.1). 
The most basic pairing defined for divisors in Gi, G2 is the hyperelliptic Ate pairing [36]: 

a : G2 X Gi fir 

where p{D2) is the reduced divisor class representative. Since the Frobenius tt acts as [q] on D2, we 
have /g,p(D2)(-Ci) € Hr and no final exponentiation is required [36, Lemma 2]. This is different from 
the elliptic Ate pairing [41], where a final exponentiation is always required. Another important 
diff'erence of the hyperelliptic Ate pairing is that to obtain a well-defined value, one must use the 
reduced divisor p{D2), not simply any representative of the class D2- The Miller loop length for 
the hyperelliptic Ate pairing is log2 q, in contrast to the elliptic case where the Miller loop length is 
log2(t — 1) with t the trace of Frobenius. 

4.5. The Hess-Vercauteren (HV) framework for pairings on Frobenius eigenspaces. Since 
2007, several variations of the Ate pairing have been proposed for elliptic and hyperelliptic curves, 
exploiting the fact that products and ratios of bilinear, non-degenerate pairings on G2 x Gi are also 
bilinear pairings, but not necessarily non-degenerate [75]. The key is to find combinations of pairings 
which are both non-degenerate and computable using shorter Miller loops. Following the work of 
Hess [40] and Vercauteren [71] in the elliptic curve case, we unify these various pairings on G2 x Gi 
in a more general framework, which we call HV pairings. The main benefit of this framework is that 
the criteria for non-degeneracy are more straightforward to verify, giving a direct way to create new 
pairings. Further investigation of this framework and possible extensions seems likely to be fruitful 
(see Section 6.1 and (1) in Section 6.9). 

Let D be any divisor in Jacc (if) [r] , and s an integer. Recall that any divisor D is equivalent to 
a unique reduced divisor which we denote p{D). Let h{x) G l\x\ be a polynomial of the form 
h{x) = X)r=o satisfying h{s) = (mod r). Define a generalized Miller function fs,h,D to be any 
function with divisor 

n 

(4.2) Y.^ip{s'^). 

j=0 

To see that this divisor is principal, consider the principal divisor 

n 

Y,hi{s'D-p{s'D)), 

i=0 

which differs by {J2^i=ohiS^)D from (4.2). Since h{s) = (mod r), this is an integer multiple of 
rD, which is linearly equivalent to zero by assumption, and thus the divisor (4.2) is principal. As 
with the standard Miller function, the function fs,h.D is only defined up to scalar multiples. Also, 
we note that the Miller function fj.,D for the Tate-Lichtenbaum pairing is equal to fs,h,D for the 
constant function h{x) = r and arbitrary integer s. 
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Theorem 4.1. Let s = (mod r) for some j e Z. Let h{x) e Z[a;] with h{s) = (mod r). T/ien 

O^s,?! • *G-2 X Gi — > fir 

is a bilinear pairing satisfying 

as,h{D2, D,) = t{D2, i^i)''^/'- and a,,^(i?2, Di) = a{D2, Di)'=9'-'M«)A 

where t is the modified Tate-Lichtenhaum pairing and a is the hyperelliptic Ate pairing. The pairing 
as,h is non-degenerate if and only if h{s) ^ (mod r^) . 

Remark 4.2. We note that since k is the embedding degree of Jacc{¥q) with respect to r, in 
Theorem 4.1 s will be a k*'^ root of unity modulo r since g is a primitive k*'^ root. In Hess's 
framework, there is the additional condition that s be a primitive fc**^ root of unity modulo r^. This 
requirement is necessary to show the existence of pairings such that the function fs,h,D is of "lowest 
degree" (see [40, §3]), but is not required for the result above. 

Proof. First we show that the pairing is well-defined on divisor classes. Suppose that D'2 ~ -D2- 
Then 

diy{fs,h,D'Jfs,h,D,) = ^/ii(p(s^D^) - p{sW2)) = 0. 

i=l 

This demonstrates well-definition in the; factor G2. For the factor Gi, it suffices to show that the 
pairing is trivial under the hypothesis that Di is a principal divisor. Suppose Di = div(5). For any 
-D2 € G2, by the hypothesis that s = mod r and p(rD2) = 0, it is the case that 

p{sW2) = p{q''D2) = p{w''D2) = w'^p{D2) = (/*V(^2) = sV(^2) + rD' 
for some divisor D' defined over F^. Therefore, 

n n 

^ hip{s'D2) = ^ his'p{D2) + rD" 

i=l j=l 

for some D" defined over Fg. Then by the hypothesis, this expression is an r-th multiple of another 
divisor D'" defined over Fg. By Weil reciprocity, 

fsXDADif""-^^^'' = g{rD"')^^''-'y^ = g{D"'f-' = 1, 

as required. 

We show bilincarity and non-degeneracy directly, in contrast to Hess's more general approach in the 
elliptic curve case [40, Theorem 1]. 

Let s = q^ + ir, for j, £ G Z. Linearity in the second coordinate follows from the definition of 
evaluation of a function on a divisor. To show linearity in the first coordinate, let D2,Ds e G2 and 
Di e Gi be non-trivial reduced divisors. Then 

n n n n 

{fs,h,DM) = J2 hip{s'D2 + s'Da) = hip{s'D2) + ^ hipis'D^) + ^ h,{gi) 

i=0 i=0 i=0 i=0 

where 

(5,) = p{sW2 + s'Ds) - p{s'D2) - pis'Ds). 
Since rD2 ^ 0, rD^ and s = q^ + ir, the function gi has divisor 

{gi) = p{q'W2 + q'^Ds) - p{q'^ D2) - piq'^Ds). 
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Since D2, D3 e G2, the g-eigenspacc of the Frobenius tt, and since p commutes with tt, we have 

(<7.) = p{D, + D,r" - piD^r' - piD,r'\ 

Then (gi) = (m)" ^ where m is the function with divisor 

(m) = piD2 + A3) - p(^2) - piDs). 
As fs,h,D2+D3 is evaluated at the divisor Di e Gi, which is fixed by tt, the value gi{Di) equals 
m{DiY'' =m{Di)i*\ Thus, 

71 n 

i=0 i=0 

Using the fact that s = + £r and h{s) = (mod r), we see that this value is eliminated by the 
final exponentiation of {q'' — l)/r. Since 

n 

fs,h,D,+Ds{Dl) = fs,h,DADl)fs,hMDl)l[giiDlf\ 

the pairing Ug^h is linear with respect to the first coordinate. 
We now show that 

as,h{D2,Di)=t{D2,Di)''^'^/' 
using a similar argument. On the right, we have 

Since Z>2 € we have p{rD2) = 0, thus 

n 

USl'l = {h{s)/r){TD2 - p{rD2)) = h{s)D2 = ^ his'D2. 

i=0 

On the left, we have 
where by definition 

n 

{fs,h,D2) = ^hip{s'D2). 
i=0 

We can rewrite this as 

n n 

{fs,h,D2) = '^his'D2 -'^hi{gi), 

where 

{gi) = s'D2 - p{s'D2). 

Since wc evaluate at Di G Gi fixed by tt and s = q^ + £r for some i' G Z, the contribution of the 
function with divisor (X]r=o i'' eliminated by raising to the power (g'^ — l)/r. Furthermore, we 

may choose any functions fr,D2 and fs,h,D2 with the above divisors, as any discrepancy from scalar 
multiples will be canceled out when evaluating at the degree zero divisor Di. Thus, as,h{D2, Di) = 

We have that i is a non-degenerate pairing and h{s) = (mod r). Therefore, by the relationship 
between as^h and t, we conclude that as,/i is non-degenerate if and only if h{s) ^ (mod r^) . 
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For the relationship with the hyperelhptic Ate pairing a, we use the fact that t{D2,Di) — a{D2, Di)'"^'' 
[29, Theorem 2]. 

□ 

4.6. Examples of HV pairings. In this section, we describe how the pairings in the current 
Uteraturc fit into the HV framework. While these pairings can be expressed as as,h for some s e Z 
and h{x) G Z[a;], their actual computation takes an alternate form in order to make use of shorter 
Miller loops. 

(1) The generalized Ate pairing or Atei pairing, was defined by Zhang [74] as the analogue of 
the Atej pairing for elliptic curves [76]. For s = q> (mod r), 

Sinc;c r \ {q^ — 1), we may assume < j < A:. Note that if s = then no final exponentiation 
is needed, as is the case for the hyperelhptic Ate pairing. However, this choice of s is never 
an improvement over the Ate pairing as the Miller loop length is i log2 q > logg q. 

For s ^ q^ (mod r^), it is straightforward to show this is the HV pairing Us^h where 
h{x) = X — q^ . Writing ,s = q^ + £r for £ G Z, wc have (/s._d) = sD — p{sD) = {fs.h,D) + (rD. 
As IrD ^ 0, these functions differ only by a constant and thus give the same value after the 
final exponentiation. 

(2) The Ate pairings defined by Vercauteren [71, Theorem 1] for elliptic curves can be generalized 
directly to hyperelliptic curves. To define the pairing, we first choose an integer m relatively 
prime to r and express mr in base q as mr = X^^q ^^"^ decompose the m^^ power 
of the Tate-Lichtenbaum pairing as 

^ (g'=-l)/r- 

(4.3) t{D2,D,r = fT.-^^h.^^MDii'"-''^'^ = ['Wh^.^MDi) ■ H sADi) ' 

where the gj (j = 0, . . . , n — 1) are auxiliary functions defined through 

fT,"=j hiq\D2 = fj22=3+l hiq\D2fhjq3,D29j- 

The pairing a[ho,—,hn] ^^^'^ defined as 

0'[ho,---,hn] : G2 X Gl — > /ir 

(9'=-l)/r 

It is easy to see that aj/i^ ...^^i^j (D2, Di) equals t{D2, Di)"^. Indeed, by definition of the Miller 
functions and the action of the Frobenius on Di and D2, we have that 

as in the proof of [71, Theorem 1]. While not explicitly noted in that proof, it is also true 
that 

jluMDir') =1, 

by an argument similar to that of Theorem 4.1. Therefore a[;K,^...^/j^] (£'2, -Di) = t{D2,Di)"^ . 
Thus, this pairing is simply the HV pairing aq^h where h{x) = X^^q ^i^;*. 
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The pairing a[/iQ^...^;i^] is computed as a product of many Miller functions, as well as the 
auxiliary functions, and the total sum of the lengths of the Miller loops of the functions 
is J27=o^°&2 ^i- Thus, for efficiency, this pairing is fastest if the coefficients of mr in base 
q expansion are small. Vercauteren gives an algorithm to find suitable multiples of r by 
searching for shortest vectors in a lattice spanned by vectors involving powers of q [71, §3.3]. 
This is the "lattice" idea which was further generalized by Hess [40]. See Section 6.1 for a 
discussion of the smallest loop length possible. 
(3) The R-ate pairing, introduced by Lee, Lee and Park in 2008 [53], was the first pairing defined 
as a ratio of generalized Ate pairings. We give a specific instantiation as an example (cf. 
[53, Corollary 3.3(3)]). Let Ti = (mod r) and Tj = q^ (mod r), where < i < j < A;, and 
write Ti = aTj + b for some a,b gZ. Then the R-ate pairing is 

: G2 X Gi jJbr 

where g is an auxiliary function with divisor aTjD2 + &-D2 ~ p{o,TjD2 + bD2) and M G N is a 
final exponent. (The function g is the analogue of the ratio of a linear and vertical function 
for the elliptic curve case.) Although it is ambigous in the original paper, this pairing 
requires a final exponentiation to yield a unique value. The exponent M = {q^ — l)/r is 
sufficient, though a smaller exponent may also work, depending on the multiplicative orders 
of Ti and Tj modulo r (see [53, Corollary 3.3(3)] for details). It is easy to work out ([53, 
Theorem 3.2]) that 

R{D2,D^) = {M,DADi)/fT„DADir)'' , 

and thus R is in fact a ratio of generahzed Ate pairings. Since fa,Tj 02(^1) = fa,D2{D\Y' 
([76, Theorem 1]), in practice, the R-ate pairing is computed as 

i?(£>2,£'i) = [fa^D^D^y h,DADi)9{D{)Y . 

In this form, and with M = {q'' — l)/r, it is a straightforward calculation to establish that R 

corresponds to the above Vercauteren pairing a^ii^ ji. ji.^ with ho = b,hi = —1, hj = a and 
all other coefficients equal to zero: let li,tj G Z such that Ti = q^ + £ir and Tj = q^ + ijr, 
and express the r-multiple {£i — a£j)r in base q, and use that /i,d2 is a constant function 
and therefore eliminated by the final exponentiation. In other words, R is the HV-pairing 
Us^h where s = q and h{x) = ax^ — + b. 

4.7. Twisted Ate pairing. In this section, we discuss the twisted Ate pairing e : Gi x G2 ^ iJLr- 
The twisted Ate pairings use the fact that in certain situations, there is a "twist" of the Frobenius tt 
which acts as [q] on Gi and [1] on G2, thereby reversing the roles of these groups in the Ate pairing. 
The main benefit of such pairings is that Di G Gi is defined over F^, which means computing the 
Miller function fs,Di is simpler. An added benefit is that the points in D2 G G2 have x-coordinates 
in a subfield of F^t which also may simplify the evaluation, as explained in Section 5.3. 

Let C be a curve over a finite field K — ¥q. A twist of C is a curve C" over F^ such that there exists 
an isomorphism (j) : C C defined over F^s for some 5 G Z"'". If 5 is the minimal degree extension 
of Fq over which the isomorphism is defined, then the twist C is of degree 5. For more on twists of 

curves, see Silverman [69, §10.2]. 

Let TT be the Frobenius of C and let <f)'^ denote the isomorphism C ^ C obtained by tt acting on 
the coefficients of cf). Then (f)^ o(p~^ is an automorphism of C of order 6 in Aut(C). Thus to look at 
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twists of C, one needs to consider the automorphism group of C. For genus 2 hyperelliptic curves 
over ¥q, Aut(C) is isomorphic to one of the foUowing groups [7, 8]: 

C2, Cio, C2 X 53, V4., Ds, D12, 2Di2, S4, S5, M32, or M160, 

where C„ is the cycUc group of order n, V4 is the Klein 4-group, Z)„ is the dihedral group of order 
n, Sn is the symmetric group of order n, M„ is the group of order n arising from a certain exact 
sequence [8, Equation 6], and 2£'i2, ^4, 5*5 are 2-coverings of £'12, <S'4, and S5, respectively. This 
implies that S, as the order of an element in Aut(C), has to divide #Aut(C) for one of the above 
automorphism groups. 

If C has a twist of degree 6 with m = gcd(fc, S) > 1, then it is possible to define a non-degenerate, 
bilinear pairing on Gi x G2. For applications to cryptography, we are interested in using the highest 
degree twist available, because elements of G2 can then be represented as elements of the Jacobian 
of the twist C defined over ¥gk/m . 

Given a curve C, let r \ #Jacc(Fg) be a large prime, k the embedding degree, and C a degree d 
twist of C. We have an injection 

[•] : fis ^ Aut(C) 

where ^ is the automorphism defined by the twist. Then G2 = Jacc(IFg)[r] fl ker(7r — [q]) = 
Jacc(Fg)[r] fl ker([^]7r''/™ - 1), and Zhang proved the following theorem ([74, Theorem 2]): 

Theorem 4.3. Let C be a hyperelliptic curve over F, with a twist of degree 6. Let m = gcd{k,6) 
and e = k/m. Then 

^tw^st . X G2 ^ Hr 

where the representatives of Di G Gi and D2 € G2 have disjoint support, defines a non-degenerate 

bilinear pairing called the hyperelliptic twisted Ate pairing. 

Remark 4.4. For C with gcd(fc, # Aut(C)) ^ 1, any pairing on Gi,G2 C Jacc(Fg) in the HV 
framework has a twisted version, a*^'** : Gi x G2 ^ /^r [40, Theorem 1]. 

We now define the eta pairing, which is essentially the twisted Ate pairing on supersingular curves, 
although historically it was introduced before the Ate pairing. The eta pairing makes use of a 
distortion map on C instead of a twist. Let e(-,-) denote any bilinear, non-degenerate, Galois- 
invariant pairing on Jacc(Fg)[r]. A non-degenerate pairing ensures that given a non-zero divisor 
class Di of order r, there exists D2 such that e{Dx,D2) ^ 1. However, there are certain instances 
where a specific Di and D2 pair to 1, for example, where Di, D2 both are defined over Fg and the 
embedding degree fc > 1. To remedy this, we introduce distortion maps. 

Definition 4.5. Let e be a non-degenerate pairing and Di and D2 non-zero divisor classes of prime 
order r on C. A distortion map is an endomorphism tf) of Jacc(Fg) such that e{Di,ip{D2)) ^ 1. 

Galbraith et al. [33] proved that distortion maps always exist for supersingular abelian varieties: 

Theorem 4.6. Let A be a supersingular abelian variety of dimension g overWq, and let r be a prime 
not equal to the characteristic of¥q. For every two non-trivial elements Di and D2 of A{¥q)[r], 
there exists an endomorphism ip of A such that e{Di,tp{D2)) 7^ 1. 
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The eta pairing has been introduced in 2007 by Barreto ct al. [2] for supcrsingular curves. It provides 
a generahzation of the results of Duursma and Lee [14] for a specific instance of supersingular curves. 
Consider a supersingular curve C/F, (having one point at infinity) which has even embedding degree 
fc > 1. Let Di and D2 be reduced divisors of degree zero on C defined over representing divisor 
classes with order r. Assume that there exists a distortion map "0 which allows for denominator 
elimination (sec Section 5.3), meaning the cc-coordinates of points in tl>{D2) lie in a subfield of F^fe. 

Definition 4.7. For T € Z, the eta pairing rjx is given by 

Note that in the literature, the eta pairing is often defined without the final exponent, though it is 
necessary to obtain a unique value in /x^. In general, this pairing is not a non-degenerate, bilinear 
pairing, but Barreto et al. [2, Theorem 1] give sufficient conditions on T under which r}T{-,-) can be 
related to the modified Tatc-Lichtenbaum pairing. In particular, this implies that for certain values 
of T, the eta pairing is indeed non-degenerate and bilinear. Moreover, the recent work of Lee, Lee 
and Lee [54, 52] allows us to compute the eta pairing on genus 2 curves for general divisors, which 
lifts an earlier restriction to the case of degenerate divisors (see Section 5.4). 

5. Fast Computation of Hyperelliptic Pairings 

In this section, we summarize the state of the art for fast computation of pairings on hyperelliptic 
curves of genus 2. 

5.1. Miller's algorithm. The algorithm used to compute Weil and Tate-Lichtenbaum pairings on 
elliptic curves was devised by Victor Miller in 1985 [58] and can be adapted to all pairings discussed 
in this paper [15]. Referring to the pairing definitions of Section 4 one sees that to compute; a 
pairing, it is necessary to evaluate a Miller function at a divisor. Algorithm 1, futheron referred to 
as "Miller's algorithm", computes such a value using the structure of an addition chain for s. 

Usually, an addition chain takes the form of a double- and- add chain, as follows. Starting with the 

integer fc = 0, at each step one performs one of two possible calculations to update the value of k: 
one either doubles to obtain k ^ 2k m doubles- and- adds to obtain A: ^ 2A; -|- 1. To determine the 
sequence of steps needed to obtain any desired integer s in this way, one reads the binary digits of 
s from left to right, doubling once for each '0' and doubling-and-adding for each '1.' (For example, 
5 = IOI2 is obtained as ^ 2(0) -h 1 = 1 2(1) = 2 ^ 2(2) -h 1 = 5.) Starting from 0, this 
algorithm computes s in [log2 sj + 1 steps (each of which consists of either one or two additions). 

Miller's Algorithm computes fs,D following this double- and- add process by computing the Miller 

function /fe,_D at each step along the way, obtaining fsj) at the end. A double step involves one 
addition, and a double-and-add step involves two. For each addition, we compute the new Miller 
function fi+j^o from the previously computed fi^o and fj^o via the relationship 

fi+j,D = fi,Dfj,DhiD,jD, i,j > 0, 

where the auxiliary function hD',D" is a function with divisor 

p{D') + p{D")-p{D' + D"). 

The computation of ho'.D" is performed by an enhanced version of Cantor's Algorithm (cf. Section 
2.3), here Algorithm 2. It is called under the name Cantor () once (if doubling) or twice (if doubling 
and adding) in each for-loop of Miller's Algorithm. Using the result of Algorithm 2, one calculates 
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f2i,D from fi^D ("double") or f2i+i,D from fi^o and ("double and add"), where is a constant 
frmction. 

In order to compute the pairing value, the Miller function fs,D2 must be evaluated a divisor Di , but 

this evaluation is not possible unless Di and D2 have disjoint support, which is not the case if both 
are reduced. However, using reduced divisors and Mumford representation is too useful to dispense 
with, so the solution is the following. Let z he a, uniformizer at Poo (for example, z{x,y) = x^/y is 
a convenient choice). Then, if / is a function with order — r at Poo, define the leading coefficient at 
Poo of /, denoted as lCoo(/), to be [z^ f){Poo). Then the normalization of / is the scalar multiple 
j-norm _ f /lc^[f) which has leading coefficient 1. For the hyperelliptic Ate pairing [36, Lemma 6], 
when z is F^-rational, 

W.)(i5i)=C7S.)(e(I?i)). 
The right-hand expression requires computing the leading coefficient, but solves the problem of 
non-disjoint supports of Di and D2 without losing the usefulness of Mumford representation. 

For HV Pairings and the modified Tate-Lichtenbaum pairing, the same solution is possible. Consider 

the computation of i(i?2,£>i) = /r,_D2 (-C'l)^'''"^^/'' where Di,D2 are reduced. Let —bi be the coeffi- 
cient of Poo in Di for i = 1, 2. (Note that 6j = — 1 or —2, depending on whether or not the reduced 
divisor Di is degenerate.) The function fr,D2 has divisor rD2 with order —b2r at Poo- Therefore, if 
z is an Fgjc -rational uniformizer at Pqo, 

fr,DADl) = /^ST(^(^l))A(^oo)''^''^^ 

Since bib2r is a multiple of r, the contribution of ^;(Poo)^^''^''^^'°~^^^'" is 1, and thus 

/.,B.(£'i)(«'-'^/'^ = 

As the HV pairing as.h{D2- Di) is a simply a power of the modified Tate pairing t{D2, Di) (see The- 
orem 4.1), in whichever form the pairing as,h{D2,Di) is computed, evaluating normalized functions 
at effective divisors will give the pairing value. 

In the elliptic curve case, it is more efficient to evaluate the Miller functions and the auxiliary 
functions ho',D" at the desired divisor (denoted D2 in Miller's Algorithm) at each step, instead of 
reserving the evaluation for the end. In order to allow for this, D2 is passed to Cantor's Algorithm. 
We now turn to a discussion of this aspect in the case of hyperelliptic curves. 

In Miller's Algorithm, the current Miller function / is stored as two polynomials /i and /2 such 
that / = /1//2. Similarly, the auxiliary functions h are returned from Cantor's Algorithm as hi 
and /i2- It remains to explain how to evaluate a polynomial function g{x,y) on C at the effective 
part of a divisor given in Mumford representation {u{x),v{x)) (we need only the effective part 
because of the preceeding discussion and the computation of the leading coefiicient). We need to 
evaluate G{x) = g{x,v(x)) at the zeroes of u{x). This is the same as computing the resultant 
Res(G(a;), M(a;)). Performing a resultant calculation is sufficiently costly that it is best left to the 
end of Miller's Algorithm, as long as the size of the Miller functions can be kept low in the meantime. 
Fortunately, in preparation for the eventual final resultant, it suffices to compute the Miller functions 
in X and y modulo u(x), while substituting y = v{x), effectively capping their degrees. 

If Steps 5 and 8 through 13 are removed from Cantor's Algorithm and only ([/, V) is returned, the 
algorithm computes p{Di + D2) for any divisors D\ and D2 in Mumford representation (this is the 
usual meaning of "Cantor's Algorithm" as in Section 2.3). If these steps are included, then Cantor's 
Algorithm can also return /, 5 (mod u) such that f /g = hDi,D2{x,v{x)) for some specified divisor 
{u,v). This is the form in which it is used in Miller's Algorithm. 
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Algorithm 1 Miller's Algorithm 

Input: Di = {ui,vi), D2 = (^2,^2), d, s = J2iLo s»2' 
Output: //°™(e(£»2))'' 
1: D ^ Di 

2: /l^l,/2^1,/3^1 

3: for i = iV — 1 down to do 

4: /i ^ fl (mod U2) , /2 ^ /I (mod U2),h^ fi 
5: {D, hi.h2,hs,) ^ Cantor(£), £>, Lia) 

6: fl ^ fl ■ hi (mod U2) , /2 <- /2 • /i2 (mod U2) , fs <- fa ■ hs 
7: if Si = 1 then 

8: (D, hi, /i2, /13) <— Cantor(L>, .Di, -D2) 

9: fi^ fl- hi (mod M2) , /2 ^ /2 • /i2 (mod U2) , fa fa ■ ha 
10: end if 
11: end for 

12: return (Res(/i, U2)/(/3'^'"'^ • Res(/2, ^2)))'^ 



Algorithm 2 Cantor's Algorithm 

Input: Di = {ui,vi), D2 = (^2,^2), D' = (m,w) 

Output: p{Di + D2), f{x,v{x)) (mod u) ,g{x,v{x)) (mod u) , lcoo(/iDi,n2) where hDi,D2 = f/9 
1: compute (di, ei, 62) such that rfi = eiui + 62^2 = gcd(Mi,'U2) 
2: compute (d, ci, C2) such that d = Cidi + 02(^1 +V2 + H) = gcd(di, Ui + V2 + H) 

3: Si Ciei, S2 Cie2, S3 C2 

4: ?7 <— (uiW2)/d^, <— (S1U1U2 + S2W2U1 + 53(^^1 ^^2 + F))/d (mod U) 
5: / d (mod 7i) . 9 ^ 1, /i <— 1 
6: while deg{U) > g do 

7: U' ^ {F-VH- V'^)/U, V ^ {-H - V) (mod U') 

8: / ^ / • (« ~ ^) (mod u) 

9- 9 ^ 9 ■ U' (mod u) 
10: if deg(F) > g then 

11: ft- < leadingcoeff(F) • h 

12: end if 

13: U^U',V^V' 

14: end while 

15: return {U, V),f,g,h 



In the case that we are pairing degenerate divisors (see Section 5.4), a norm computation may be 
preferred to the resultant method [29]. 

5.2. Using effective divisors and the leading coefficient. The leading coefficient of fs,D is an 
element of the field of definition of the function. Therefore, in the case of twisted pairings, the leading 

coefficient of fs.Di is defined over ¥q. Therefore, if the pairing includes a final exponentiation, the 
leading coefficient will be eliminated and thus may be ignored in the computation of the pairing. 

5.3. Final exponentiation. As described in Section 4, most of the hyperelliptic pairings involve a 
final exponentiation of a Miller function fs,D{D') by (g*^ — l)/r, where D G Jacc(I'"g)[r] and D' is an 
arbitrary divisor in Jacc(Fqfc). As has been widely reported, this extra computation has its benefits, 
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in particular when k is even. Many of these are described by Scott [68] and Galbraith, Hess, and 
Vercauteren [29]; we summarize the main ones here. 

When k is even, the field F^k can be constructed as a degree two extension of F^e, where 2£ = k. 
We can represent elements as a + ib with a,b G FgC and 7^ a quadratic non-residue over F^^. It is 
straightforward to check that 

(l/(a + 76))«'-i = (0-76^-1 

which means inversion can be replaced by conjugation since the result is the same after final expo- 
nentiation. In particular, this applies to any denominators of computations in Miller's algorithm. 

There is a further optimization, denominator elimination, which in fact allows one to ignore all 
denominators in Miller's algorithm. In computing /s,d(-D') where D is a divisor defined over the 
base field F^, one computes the numerator and denominator values separately (see Algorithm 1). If 
D' = {u{x), v{x)) has u{x) defined over F^^, then the computation of the denominator involves only 
D and u{x) and therefore becomes trivial after final exponentiation. In the case of supersingular 
curves, for example, a suitable evaluation divisor can be found using a distortion map ijj (see Section 
4.7) such that tl}{D') has a;-coordinates in F^t [33]. 

The final exponentiation is generally computed in multiple steps by writing (g*^ — l)/r as a product of 

polynomials in base q expansion and exploiting finite field constructions, in particular the g**^ power 
of Frobenius, which speeds up computation [29]. Other methods for faster computation include 
signed sliding window methods [37], as well as trace and tori methods [34, 38]. 

Remark 5.1. As the Ate pairing does not require final exponentiation, these techniques are un- 
available. Furthermore, as stated by Granger et al., there are also possible security implications; 
namely, the problem oi pairing inversion (given 7 and Di, find D2 such that a{Di, D2) = 7) may not 
be as hard (see [36, Intro.]). However, we remark that if \ {q'' — 1) and r is prime, a superfiuous 
final exponentiation of the Ate pairing still gives a non-degenerate result. 

5.4. Degenerate divisors. For a genus 2 curve, a general reduced divisor D is of the form D = 

(Pi) + (P2) — 2(00) and a degenerate divisor is of the form D = (P) — (00). As there are fewer 
points in the support, the arithmetic is faster when adding a general divisor to a degenerate divisor 
than when adding two general divisors. This speeds up the computation of the Miller function fs^o 
where D is degenerate. Furthermore, the evaluation of a Miller function on a degenerate divisor is 
also faster by at least half, since there is only one affine point. Many of the fastest hyperelliptic 
pairing computations use degenerate divisors, including the examples noted with [a], [b] and [c] in 
the Table 5.6. We summarize here when it is possible to use degenerate divisors as either the first 
or second argument of a pairing. 

Should Jacc(Fg) be of prime order r, then for any P e C(Fg), the divisor D = (P) — (00) can be 
used as the first argument, regardless of the pairing. Furthermore, if C is supersingular, then using a 
distortion map ijj (see Section 4.7), we have that ijj{D) is also degenerate and pairs non-trivially with 
D. Hence, for supersingular curves with prime-order Jacc(Fg), we can use degenerate divisors as 
both arguments of the Tate-Lichtenbaum pairing. This fact was originally exploited in the definition 
of the rjT pairing by Duursma and Lee [14]. In the more general situation where =ffJacc{Fq) is not 
prime and/or the curve C is not supersingular, using degenerate divisors is not as straightforward, 
as noted by Frey and Lange [24]. If #Jacc(F,) = nr where gcd(n, r) = 1, there is no guarantee that 
there exists a degenerate divisor D of order r. The probability that a reduced divisor is of order 
r is 1/n and the probability that a divisor is degenerate is roughly 1/q, by the Hasse-Weil bounds 
on C{Fg) and Jacc{Fq). Therefore, assuming independence, a heuristic argument gives that the 
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probability a divisor is degenerate and order r is 1/ qn. This implies that using a degenerate divisor 
for the first argument is not necessarily possible. 

However, Frey and Lange [24] show that for q large enough (as in a cryptographic setting), it 
is possible to use a degenerate divisor as the second argument. In other words, there exists D2 = 
(P) — (00) e Jacci^qk) such that for any Di e Jacc(Fq)[r], the Tate-Lichtenbaum pairing t{Di, D2) 
is non-trivial. The probability that P e C{¥qk) yields such a divisor D2 has a lower bound of 
l/fclog2 q. Moreover, ii k = 2d is even, it is possible to choose P = (x, y) with x E ¥gd and y E W^k, 
using a degenerate divisor on the quadratic twist of C/F^d. This technique is used for example by 
Fan, Gong and Jao [16] and allows for denominator elimination. 

Remark 5.2. As remarked by Galbraith, Hess and Vercauteren [29, §7], there are potential secu- 
rity implications with using degenerate divisors, depending on the application. While the discrete 
logarithm problem with a degenerate divisor as a base point is no easier than that with a general 
divisor [44], other hardness assumptions such as pairing inversion (see Remark 5.1) are potentially 
compromised, as Granger et al. have noted [36] . To our knowledge, the topic remains unresolved. 

We also remark that there arc protocols in which it may not always be possible to use degenerate 
divisors, for example, when computing a pairing where one input is required to be a random multiple 
of a divisor D. 



5.5. Rubin-Silverberg point compression. Another method available to us in genus 2 is the 
point compression technique of Rubin and Silverberg [66], who note that supersingular abelian 
varieties can be identified with subvarieties of Weil restrictions of supersingular elliptic curves. 

Recall that a supersingular q- Weil number is a complex number of the form y^C) where ^ is a root 
of unity and denotes the positive square root. Let m be the order of 

The following theorem allows us to define a useful invariant: 

Theorem 5.3 ([66]). Suppose A is a simple supersingular abelian variety of dimension g over 
¥q, where q is a power of a prime p, and P{x) is the characteristic polynomial of the Frobenius 
endomorphism, of A. Then P{x) = G{xY , where G{x) E Z[x] is a m,onic irreducible polynomial with 
e = 1 or 2. All of the roots of G are supersingular q-Weil numbers. 

We call the roots of G the q- Weil numbers for A. 

Definition 5.4. The cryptographic exponent of A is defined by 



CA = < 



m . 

— , if g IS a square 

m .... 

, II g IS not a square. 



, gcd(2,m) 



Let aA = ca/q; it is the security parameter of A. 



Now let F c F' be finite fields, E an elliptic curve over F, and let Q E E{¥'). Recall that the trace 
from F' to F is given by 

TrFVF(Q) = '^(^)- 

<TeGal(F'/F) 

Rubin and Silverberg prove the following result: 



PAIRINGS ON HYPERELLIPTIC CURVES 



23 



Theorem 5.5 ([66]). Let E be a supersingular elliptic curve over ¥q, tt a q-Weil number for E 
(n ^ Q). Fix r G N with gcd{r,2pcE) = 1- Then there is a simple supersingular abelian variety A 
over ¥q having the following properties. 

(1) dim^ = (p{r). 

(2) For every primitive r*^ root of unity nC, is a q- Weil number for A. 

(3) CA = rcE- 

(4) a A = ir/(f)ir))aE. 

(5) There is a natural identification of A{¥q) with the following subgroup of E{¥qr) : 

{Q e E{¥q.) : Trp^./F^^^, (Q) = for every prime I \ r}. 

This theorem can be thought of as a form of point compression for supersingular elhptic curves. 
More concretely, the theorem allows us to replace the Jacobian of a hyperelliptic curve C over F 
with an elliptic curve E over an extension F' of F, while still exploiting the per-bit security gain of 
higher genus hyperelliptic curves. From a security standpoint, there is no difference between working 
with £'(F') and working with Jacc(F). On the other hand, one needs fewer bits to represent divisors 
with support in C(F) than to represent points in E{¥'). 

As noted by Galbraith [28], recent implementations [2] indicate that pairings on elliptic curves 
with the Rubin- Silvcrbcrg compression are, in general, more efficient than using the pairings on 
Jacobians of hyperelliptic curves. However, it seems that Rubin and Silverberg have initiated a 
promising investigation into the arithmetic geometry of abelian varieties and its applications to 
pairings. Much work remains to be done, in particular with respect to the torsion structure of these 
varieties. 

5.6. A comparison of pairings. We conclude this section by summarizing in Tabic 5.6 all known 
variants of the Tate-Lichtenbaum pairing defined in Section 4, in terms of their loop length and 
whether or not there is a final exponent of {q'' — l)/r. Note that if there is a final exponent, in the 
case of even embedding degree k, this allows for the optimizations described in Section 5.3. The 
last column gives references to specific examples of curves of genus 2 in the literature for which the 
efficiency of the pairing has been analyzed, either theoretically, via implementation or both. 

All pairings in Table 5.6 except the Tate-Lichtenbaum pairing and the modified Tate-Lichtenbaum 
pairing arc defined on G2 x Gi, but if gcd(A;, # Aut(C)) 7^ 1, then there exist the twisted versions 
on Gi X G2 which have the same final exponent and loop length. 



Table 5.6. A comparison of pairings. 



Pairing 


Curves 


Final 

Exponent 


Loop 

Length 


Examples 

for .9 = 2 


Modified Tate 


All 


Yes 


log2r 


[16]^ [39, §5], [10], 


Ate [36] 


All 


No 


log2g 




Eta [2] 


Supersingular 


Yes 


Varies 
(log2 q) possible 


[2]" 


HV [40, 71] 


All 


Yes 


Varies 
(log2 r)/<^(fc) possible 


[71, §4]« 


Atei [74] 


All 


Yes 


log2((7' (mod r)) 

(log2 r)/(/7(/c) possible 


[74, §5]^^ 


R-;itc rys] 


All 


Y(\s 


Varies 


[53, ;i5]' , [31, §4.5]^ 
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[a] Fan, Gong and Jao use efficiently computable automorphisms to compute a power of the 
modified Tate-Lichtenbaum pairing on two Kawazoe-Takahashi families of non-supersingular 
curves over prime fields. This algorithm allows for a theoretical reduction of up to one fourth 
in the length of the Miller loop (log2 r). They implement this on curves over ¥p where p is 
a 329-bit prime and fc = 4 and compare this with pairings on a supersingular curve defined 
over ¥p with p a 256-bit prime and k = 4. Using all known optimizations (degenerate divi- 
sors, encapsulated group operations, final exponentiation, fast field arithmetic), the pairing 
computation on the non-supersingular curve is about 55.8% faster. 

[b] This is one of the fastest known pairing implementations on a hyperelliptic curve and makes 
use of many optimizations including degenerate divisors and a special octupling formula. 

[c] Vercautcrcn gives an example of a family of supersingular curves with fc = 12 such that 
the loop length is approximately log2 r/ip{k). 

[d] Zhang gives examples of Kawazoe-Takahashi curves with k = 8, 24 such that the twisted 
AtCi pairing has loop length approximately log2 r/(p{k). 

[e] Lee, Lee and Park show that for supersingular curves the loop length can theoretically 
be approximately (logg q)/2. They also compute an example on a Duursma-Lee curve with 
fc = 5, achieving a loop length 21% shorter than the Ate. 

[/] Galbraith, Lin and Mireles Morales [31] describe how to use the R-ate pairing on a real 
model of a hyperelliptic curve of genus 2 over ¥p with fc = 6. By using a distortion map 
V' on ,Jacc(Fp)[r] such that the image of Gi is in the p-eigenspace, G2, they are also able 
to make use of denominator elimination. They conclude that such pairings are theoretically 
competitive with both pairings on certain elliptic curves with fc = 3 and with hyperelliptic 
curves in the imaginary model with fc = 4. 

6. Future Work on Hyperelliptic Pairincs 

In this section, wc present possible areas for future work, expanding upon the list in the 2007 survey 
paper of Galbraith, Hess and Vercauteren [29]. We list some newer problems, mention some recent 
advancements in the elliptic curve case which may find generalizations in pairings for > 2, and 
conclude by revisiting the 2007 list [29]. 

6.1. Achieving optimal loop length. Since 2007, there has been a flurry of new work to reduce 
the loop length in Miller's algorithm using variants of the Ate pairing. In particular, the Ate pairing 
on hyperelliptic curves of genus g already reduces the loop length by up to a factor of g when 
compared to the Tate-Lichtenbaum pairing [36]. Vercauteren [71] uses the following definition to 
characterize pairings with certain loop lengths. 

Definition 6.1. [71] Let e : Gi x G2 1-^ /i,- C F*^ be a non-degenerate, bilinear pairing defined 
using a combination of Miller functions. We call e(-,-) an optimal pairing if it can be computed 
using (log2 r)/{p{k) + e(fc) Miller iterations, where (p is the Euler phi function and s{k) < log2 fc. 

Note that this means a pairing is optimal if the total sum of all the loop lengths of the Miller 

functions is approximately (logj r)/ip{k). 

For an HV pairing 0^ ^,(2;) with h{x) = XliLo ^i^^ ^ the total sum of loop lengths is X)"=q log2 hi. Thus 
to be optimal, it is necessary but not sufficient that the coefficients of h are bounded by r'^'^^\ This 
can be achieved by finding the shortest vectors in a lattice spanned by vectors involving powers of s 
[71, §3.3]. Vercauteren and Zhang both give examples of genus 2 HV pairings (see Table 5.6) where 
the polynomial h{x) satisfies this bound and has only one coefficient which is not ±1, therefore 
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providing examples of optimal hyperelliptic pairings. It remains open whether given a hyperelliptic 
eurve it is always possible to construct an optimal HV pairing. One direction would be to look 
at extending the method of Vercauteren [71] which constructs optimal pairings on parameterized 
families of elliptic curves. 

Vercauteren also conjectures that for elliptic curves without efficiently computable automorphisms 
other than the Frobenius, no pairing can be better than optimal [71, §2]. More specifically, he 
conjectures that for such a curve, any non-degenerate pairing requires at least (1 — 5)log2r /(p{k) 
Miller iterations where < 5 < 1/4. For a curve with a set of efficiently computable endomor- 
phisms £ C End(E), Vercauteren defines a superoptimal pairing as one which can be computed using 
(log2r)/#£' + e(fc) Miller iterations. It remains to examine what is the best possible for genus 2 
curves, both with and without the existence of efficiently computable endomorphisms (see also Sec- 
tion 6.2). Furthermore, it is not known whether there are other non-degenerate, bilinear hyperelliptic 
pairings on Gi x G2 which are not part of the HV framework. 

Lastly, we remark that the computation of an HV pairing cannot be measured solely by the sum 
of loop lengths. There is also the cost of computing the auxiliary functions (see (2), (3) in Section 
4.6). It remains to formally compare the cost of these additional computations with the benefit of 
a shorter total sum of Miller loop lengths. 



6.2. Using efficiently computable automorphisms. One newer method to speed up computa- 
tions is to use efficiently computable automorphisms of the curve C (beyond the Frobenius). For 

example. Fan, Gong and Jao use efficiently computable automorphisms in computing a power of the 
modified Tate-Lichtenbaum pairing on some specific non-supersingular genus 2 curves over prime 
fields [16]. An open task is to explore how far can this be generalized to other genus 2 curves. 

Furthermore, Hess [40] extends his pairing framework for ordinary elliptic curves to exploit efficiently 
computable automorphisms. This does not generally give an improved loop length since #£ < f{k) 
for most ordinary elliptic curves. However, as hyperelliptic curves have a greater variety of Aut(C), 
it would be worthwhile to examine what improvements in loop length can be made by extending the 
HV framework to exploit these automorphisms. 



6.3. Fast arithmetic and the embedding degree. In the case of even embedding degree k, it 
is traditional to exploit the degree two subfield, as explained in Section 5.3. In fact, Koblitz and 

Menezes define pairing friendly fields to be finite fields of the form F^* such that k = 2*3^ for 
< «,i € Z and q = 1 (mod 12) [48, §5]. (If k is strictly a power of 2 then it is only required that 
q=l (mod 4) .) By a theorem of Lidl and Niederreiter [56, Theoreom 3.75] and more particularly, by 
a specific instance of this theorem given by Koblitz and Menezes [48, Theorem 2], we can construct 
the extension ¥gk for k of this form using a tower of quadratic and cubic extensions. There are thus 
certain advantages we can make use of for k = 2'3-' . For instance, there exist fast arithmetic methods 
for degree 2 and 3 subextensions; namely, the Karatsuba method for quadratic subextensions and the 
Toom-Cook method for cubic subextensions [46, §4.3.3]. These methods are used to economize the 
arithmetic in the smaller fields which reduce the number of field multiplications. However, there are 
embedding degrees not of this form, particularly among recent constructions of non-supersingular 
curves, and hence it would be worthwhile to see if these ideas can be extended to embedding degrees 
k containing other prime factors. 



26 J. BALAKRISHNAN, J. BELDING, S. CHISHOLM, K. EISENTRAGER, K. STANCE, AND E. TESKE 

6.4. Degenerate divisors. As discussed in Section 5.4, one common optimization is to use degen- 
erate divisors. Frey and Lange [24] give a lower bound on the probability that P G C{¥qk) gives 
a non-trivial pairing value when used as a degenerate divisor in the second argument of the Tate- 
Lichtenbaum pairing. However, to our knowledge, there is no method to efficiently find such points 
beyond simple trial and error. 

We also consider using degenerate divisors with Ate-type pairings a on G2 x Gi (or twisted Ate on 

Gi X G2). While a heuristic argument shows that the likelihood that a divisor of Gi is degenerate 
is small, it would be useful to know if there are particular curves where this is more likely and if 
so, how to find such divisors. It also remains to analyze the likelihood that an element of G2 is 
degenerate. We note that for D G G2, ii D = {P) — (00), then 7r(Z)) = (7r(P)) — (00) implies that 
the divisor class qD is also degenerate. 

6.5. Ignoring the last bit. In the case of the modified Tate-Lichtenbaum pairing on elliptic curves, 
when computing /r,Di(-D2), it is possible to ignore the last bit in the expansion of r. This follows 
from the fact that since r is odd, the last iteration of the Miller loop of the Tate-Lichtenbauin pairing 
is the evaluation at D2 of the line function corresponding to the line through (r — 1)P and P. This is 
a vertical line and so by the choice of divisor D2 with x-coordinates lying over F^d , this is eliminated 
by the final exponentiation. While this does not give a large improvement compared to other loop 
length reductions, it is worth verifying whether this trick might be used in the case of hyperelliptic 
curves. 

6.6. Compression and higher degree twists. Galbraith and Lin [30] give explicit formula to 
compute the Weil pairing on elliptic curves given only ^-coordinates, and the Tate-Lichtenbaum and 
Ate pairings given both x-coordinates but at most one ^/-coordinate. This form of point compression 
is advantageous for elliptic curve pairings with small embedding degree, where one would be working 
over a field of large order (and consequently, taking a square root to recover y could be expensive). 
The compression makes use of explicit recurrence formulas for elliptic curve point multiplication and 
for Miller functions in the case of embedding degree k = 2. As these recurrences are given solely in 
terms of the x-coordinate of the point, the pairings are also computed in terms of the ^-coordinate 
of the points involved. Note, however, that neglecting the value of y introduces a sign ambiguity, 
but this is resolved by taking the trace of the pairing, which is independent of the sign of y. It is 
perhaps worth investigating if the analogous results may be obtained for hyperelliptic pairings (for 
curves of the form y"^ = F{x)) of small embedding degree. 

Another form of compression involves algebraic tori, which are d-dimensional generalizations of 
the multiplicative group Gm- Nachrig. Barreto and Schwabe [60] use algebraic tori to compress 
computations, not just in the final exponentiation but also in the Miller loop of elliptic curve pairings. 
Their methods rely on explicit formulas for multiplication and srjuaring of torus elements and also 
exploit degree 6 twists. One might want to try similar methods for certain twists of hyperelliptic 
curves. 

Another benefit of twists, as explained in Section 4.7, is that curves with a twist of degree d allow 

one to use the twisted versions of Ate-type pairings. This means one computes the Miller function 
fs,DT_{P>2) for Di G Gi and the divisor D2 = {u{x),v{x)) G G2 with u{x) defined over the subfield 
F^fc/(<i,fe), as opposed to computing fs^D2{D\). Furthermore, the points of G2 can be represented as 
points on the Jacobian of the twist C" which allows for faster computations in the group G2. The 
example of Zhang [74] uses a twist of degree 8; to our knowledge, pairings on curves with twists of 
degree 10 have not been implemented. 



PAIRINGS ON HYPERELLIPTIC CURVES 



27 



6.7. Trace zero subvarieties. For a hyperelliptic curve C of genus g defined over F^, a trace 
zero subvariety of C is a subgroup of the Jacobian of C whose construction is connected to the 
Weil restriction of scalars. The use of trace zero varieties for cryptographic apphcations was first 
suggested by Frey [23] . The trace zero subvariety of C over a field extension of degree ^ is a subgroup 
of Jacc(Fq«), which is isomorphic to the quotient Jacc(Fg« )/Jacc(Fg). 

It can also be defined concretely as follows: Let tt be the q^^ power Frobcnius. Let £ be a prime 
and assume that i | #Jacc(Fg). We define the trace zero subvariety of J&cc{Vqe) to be the set 
of elements of trace zero. I.e., 

Ge{¥g) := {D e Jacc(F,0 : D + t:{D) + ■■■ + tt^'^D) = O}. 

Since Ge{¥q) is the kernel of the trace map, it is a subgroup of Jacc{¥gt). To perform arithmetic 

in a trace zero subvariety one can use the algorithms that work in the whole Jacobian. So far, no 
specific algorithms for the group law arc known that make use of the subgroup properties. 

Since G£{¥g) is a subgroup of Jacc(Fg<), we can define a Tate-Lichtenbaum pairing on it by re- 
striction: suppose the order of Ge{¥g) is divisible by a large prime factor r, but not by r^. Let 
Gi := Gi[r] fl ker(7r^ — [1]) and G2 := Gi[r] fl ker(7r^ — [q^]). Then the Tate-Lichtenbaum pairing on 
G^ is a map 

t : Gi X G2 fjir- 

On the points of Gi, tt acts as multiplication by an integer s ([13]), and the same is true for the 
action of tt on G2 ([9, Proposition 3]). Cesena [9] gives a new algorithm for computing the Tate- 
Lichtenbaum pairing over trace zero subvarieties of supersingular elliptic curves by (exploiting the 
action of the g-Frobcnius. He uses the fact that the q-Frobenius tt is an efficient cndomorphism 
(rather than just the ^''-Frobenius), together with the fact that for particular supersingular elliptic 
curves the action of the Frobenius can be computed more efficiently [9, Lemmas 1-3]. For these 
curves, the action of tt is (close to being) multiplication of a power of q. 

Experimentally, Cesena's algorithm is as efficient as the Tate-Lichtenbaum pairing on supersingular 
elliptic curves, though less efficient than the eta pairing r]T or the optimal Ate pairing of Vcrcauteren. 
It remains to explore whether Cesena's algorithm generalizes to supersingular hyperelliptic curves 
or non-supersingular trace zero varieties. 

6.8. Exploiting torsion groups of dimension > 2. If r is coprime with the characteristic of 
¥q, the r-torsion group of a Jacobian variety of dimension g is isomorphic to (Z/rZ)^^. With the 
exception of the recent work by Okamoto and Takashima [63] , all known pairing-based cryptographic 
applications require only two linearly independent torsion points and thus can be realized in the 
elliptic curve setting; in fact, also the Okamoto- Takashima protocols can as well be implemented 
using a product of two (supersingular) elliptic curves. It is an open problem to find a cryptographic 
application that uses curves of genus 2 (or larger) and that does not work using elliptic curves. Both 
for the ordinary and the supersingular case, constructions of Jacobians of dimension 2 with low full 
embedding degree (cf. Section 3.3) are available ([18, 63]). 

6.9. More Problems. For completeness, we include the problems posed by Galbraith, Hess and 
Vercauteren [29], making note of any recent advancements: 

(1) Construct pairing-friendly ordinary hyperelliptic curves with smaller p-values. At this point 
in time, the smallest /?- value obtained for an ordinary hyperelliptic curve of small embedding 
degree is p ~ 20/9 (for g = 2, k = 27; cf. Section 3). It is highly desirable to have curves 
with p- value < 2. 
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(2) Curves with g > 'd. For curves with g > 3, is it possible to develop efficient pairing-based 
cryptosystems which are also secure against the index calculus attacks available for these 
curves? 

(3) Pairings on real models of hyperelliptic curves. There have been recent examples [31] of 
efficient pairing computations on real models of hyperelliptic curves, as remarked in Section 
5.6. Are real models competitive with the imaginary models in general? Furthermore, are 
there efficient pairings on non-hyperelliptic curves? 

(4) Torsion structure. Is there an efficient method for selecting divisors from Jacc(IFqfc)H for 
pairing computations? (See also Section 6.4.) Furthermore, if this group has more than two 
generators, what cryptographic applications are possible? (See also Section 6.8.) 

(5) Rubin- Silverberg point compression and Weil restriction. Can the Rubin-Silverberg method 
(see Section 5.5) be made more efficient in the elliptic curve case and/or generalized to 
Jacobians of curves of genus g >21 

(6) Weil restriction. As in Rubin-Silverberg point compression, certain abelian varieties can be 
identified with subvarieties of the Weil restriction of supersingular elliptic curves. When the 
abelian variety is a Jacobian, are there explicitly computable homomorphisms between the 
elliptic curve and the Jacobian representation? 
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